Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Code

Documentation

Mind map with requirements

Access

Data model

...

Image Added

Entities

  • Applicant - The user of who want to have their identity vetted. They use Applicant vetting application.
  • RA (registration authority) - The user responsible for approving claims that have been presented by applicants. They use RA vetting application.
  • User - Applicant, RA (and potentially instance of another type of user).
  • Approval - Confirmation by another user (typically by RAs) regarding

...

  • Assertions about an

...

  • Applicant.
    We can not approve Attestations because there is a weak (N-N) link that relates Attestations to Assertions which could lead to Applicant exchanging Assertions for approved Attestations if they are not hard-linked. If we link the Attestation hard to the Assertion, we are in fact approving the Assertion and not the Attestation. approved_with holds extra metadata about the approval, e.g. "in person". Since the earned Attestations will automatically follow from approving Assertions, the RA should be shown what Assertions she implicitly approves by approving the Assertion.
  • Assertion - Record of some evidence that supports a

...

  • Claim or the content or value(s) associated with that

...

  • Claim; in case of self-assertions, it just serves to connect users to

...

  • Claims about them (when they are just instances of

...

  • Claims) and provide the actual content of the

...

  • Claim (such as an external identifier, ID doc number etc., perhaps even to quantify the amount of confidence for the

...

  • Claim in the form of LoA).
  • Claim (= alternative descriptive name: assertion type?) -

...

  • Standardised statement related to the applicant that is implied by the assertion, config is used for its

...

  • technical implementation (e.g.

...

  • in the case of a Federative Claim based on SAML it contains the entityID of the IdP/Proxy) and visual presentation. Claims determine what Assertions are about, so they classify Assertions and should reflect an Assertions-related 'vocabulary'.

...

  • It is important to note that

...

  • the Assertion is the instantiation of the Claim for the specific user, but it may warrant several

...

  • Attestations!

...

  • Claim_type (= alternative descriptive names: assertion group, assertion creator?)

...

  • The technical back-end implementation of a Claim, e.g.

...

  • SAML, OIDC or a Self-Asserted form. It takes the config from the parent Claim.
  • Attestation - Kinds of conclusions that can be stated about users. They are based on

...

  • Claims via the relations defined in the att2claims table.
  • Attestations for Claims

...

  • (att2claims) - Association between

...

  • Assertions of Claims and Attestations they lead to.

Data

...

usage notes

BMa:

  1. On the specificity of claims, I assume thatClaims:
    1. 'Assertion-Claim-Claim_type' train/procession reflects the technological (evidence/delivery/implementation) aspect.
    2. 'Assertion-Claim-att2claim-Attestation' train reflects the semantic aspect, i.e. what can be concluded about users based on assertionsevidence recorded in the Assertions.
    3. Since 'Claim' is the juncture for both a. and b., it can be quite granular, as it is specific in terms of both assertions Assertions (what they contain how they are produced) and attestations Attestations (what assertions Assertions say about users)
  2. The associations between claims Assertions of assertions Claims and attestations Attestations are currently untyped/unqualified, so there are no different variants of them variants for different uses, but we may later introduce some 'LoAs' or clustering semantics: "A specific assertion The Assertion provides the claim Claim by which we <predicate> some attestation the related Attestation (determined by the attestationAttestation's name) about the applicant/ user", where <predicate> could be one of <predicate> is : "support (=corrobating evidence)", "imply (direct =sufficent evidence), "add info relevant for", "negate", or even "provide one of 3 required 3 confirmations for").
  3. Assertion→claim→attestation Assertion→Claim→Attestation can be also used for internal purposes, ege.g. as a mechanism to record some internally used information about users (in assertionsAssertions), their roles (in claimsClaims) and permissions (in attestattions)Attestations).
  4. User/Claim Assertions will only exist in two flavours: the one that has been approved by the RA, as a copy of the last known good state of the Attestation and (possibly) a newer one that represents the refreshed state of the Assertion. The refreshed Assertion can be (re)approved by the RA and when doing so, will invalidate the approval of the old assertion, so that on any moment in time there will only be one approval->assertion->claim→attestation train.

Newly discovered related conceptual works